Subscribe to Help Center RSS FeedThis article discusses how to un-enroll individual Mac computers and MDM profiles from JumpCloud MDM, as well as how to remove Apple MDM from a JumpCloud organization, which will un-enroll all Apple devices in the organization.
Removing the JumpCloud MDM Enrollment Policy from a Mac does not remove the enrollment profile.
If the Mac is subject to the MDM Enrollment Policy, removing the profile manually or via command will not be permanent. The device will receive the MDM profile again once the agent checks in again. However, this profile will not be auto-approved. If the device is to remain un-enrolled, the JumpCloud MDM Enrollment policy will need to be unbound from the device.
Removing the MDM Configuration from a Mac
There are two ways to remove the MDM configuration from a Mac: via the JumpCloud API, or directly on the device via System Settings.
Via JumpCloud API
You can remove the MDM configuration from a device using the JumpCloud V2 API. See JumpCloud V2 API Docs.
You'll need 3 values to complete this method:
- JumpCloud API Key
- MDM ID - this is the identifier of your organization's MDM configuration.
- MDM Device ID - this is the identifier unique to each device enrolled in MDM.
To gather the required values and remove the JumpCloud MDM Enrollment Profile from a device via the API:
- Obtain your API key from the JumpCloud Admin Portal. See Obtaining Your API Key.
- In the macOS Terminal, insert your API key into the command below and run it to gather your MDM ID:
curl https://console.jumpcloud.com/api/v2/applemdms \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'x-api-key: INSERT_API_KEY_HERE'
The MDM ID is the value in quotes after [{"id":"
- Next, obtain the MDM Device ID:
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
-
- Go to Device Management > Devices.
- Click the desired device from the Devices list.
- Go to the Insights tab and scroll down to Device Info.
- Copy the JumpCloud MDM ID.
- Now you can remove MDM enrollment for the specified device by launching the macOS Terminal and inserting the gathered values into the following command:
curl -X DELETE https://console.jumpcloud.com/api/v2/applemdms/INSERT_MDM_ID_HERE/devices/INSERT_MDM_DEVICE_ID_HERE \
-H 'accept: application/json' \
-H 'x-api-key: INSERT_API_KEY_HERE'
- Restart the device to ensure removal of the JumpCloud MDM enrollment profile.
Via System Settings
You can remove the MDM configuration manually on a device from System Settings.
This method works only for devices that are device enrolled. See Add Company-Owned Apple Devices to MDM with Device Enrollment.
Devices enrolled with Apple's Automated Device Enrollment (ADE) cannot be removed using the following method. ADE devices must be removed either via the API, or by deleting the device from JumpCloud entirely (which also removes the JumpCloud Agent).
To remove the enrollment profile on macOS Ventura 13 and later:
- Go to System Settings > Privacy and Security > Profiles to view the MDM Enrollment profile.
- As an admin user on the device, select the MDM Enrollment Profile in the list and click the "-" button to remove it.
Removing the MDM Configuration from an Organization
Considerations:
Removing the MDM Configuration will result in loss of access to MDM features, including:
- Security Commands
- Patch Management
- Deleting your MDM configuration permanently removes all associated certificates and configuration files. Remove your MDM configuration only if you no longer want to use MDM to manage your devices.
- This will remove the JumpCloud MDM profile from ALL Apple devices in the organization! Deleting the MDM Configuration from your organization will bulk un-enroll ALL devices at their next check-in with JumpCloud.
- To remove a single device from MDM, follow the steps above for removing the MDM profile from an individual device.
- From the JumpCloud Admin Portal, go to Device Management > MDM.
- Under Apple > Home, click the Delete button under APNs Configuration for MDM.
- To confirm, enter the amount of macOS and iOS devices that will be removed from MDM management.
- Click Delete MDM Configuration.
Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.
In this Article
Learn More